More than half of small firms plan on using Privacy Shield – survey

But it’s still not the most popular way to zip data across the pond

Almost half of the organisations surveyed by the International Association of Privacy Professionals say they will use the Privacy Shield data-sharing framework in the next year.

Agreed last summer, the deal between the European Union and the US aims to safeguard EU citizens' data when it is transferred to the States. It replaced the Safe Harbour agreement that was ruled invalid as a result of Max Schrems' case against Facebook.

Despite legal challenges against Privacy Shield – not to mention uncertainty over the change in US administration – around 2,400 companies have signed up to the scheme so far.

This is around half as many as the 5,000 companies that had signed up to Safe Harbour, and there has been some concern that firms are not relying on the agreement in practice.

Kathryn Wynn, partner at Pinsent Masons, told The Register last week that "there's not that many examples of it actually being used". She said the new US administration's travel bans and ongoing legal challenges might be "putting people off" in case the deal is rendered partly or wholly invalid.

However, the survey carried out by IAPP with consultancy EY Advisory Services – which is part of a larger annual report on privacy governance to be published next month – indicated increased interest in the deal.

According to the survey, 47 per cent of firms are planning to use Privacy Shield in the next year, compared with 34 per cent in last year's survey.

For small to medium-sized firms, the number is greater, with 67 per cent saying they will use it as a data transfer mechanism in the next year.

But the IAPP acknowledged that there are still underlying concerns about the future of the agreement, noting the importance of the outcome of the "Schrems 2.0" case – a follow-up to the one that took down Safe Harbour – and the European Commission's inaugural annual review.

Some of this uncertainty is apparent in the survey's other results, which found that Privacy Shield was far from being the most popular way of transferring data between the US and the EU.

Some 88 per cent of organisations in the survey use standard contractual clauses – known as model clauses – to transfer data, which have themselves been challenged in court. This is up from 80 per cent in last year's survey.

Trevor Hughes, IAPP president and chief exec, said that, overall, the results showed that industry had "quickly" adopted Privacy Shield, which he put down to "the importance companies place on the ability to transfer personal data from the EU to the US".

But he added: "Any disruption of the methods organisations have in place, coming from either the Commission's annual review or ultimately the decision of the European high court in cases already pending, would be profoundly felt." ®